Oracle the Database Company is taking time out on its corporate blog to address a number of critics on the security of Oracle Databases.
Like any other application, the security of the application is only as good as how it was configured. It is very easy to take a default installation and just call it a day, but then there are things like named pipes in a database system, logging levels, shell droppers, stored procedures and extended stored procedures inherent in the system that can lead to some pretty spectacular failures of a database system.
Oracle though is under fire for two things, being slow to patch, and the idea that because they are slow a company is going to release a pile of zero day vulnerabilities. As well as the mega patch system that is currently in place that causes its own special set of problems.
Oracle though is under fire for the idea that they take too long to patch a system, and when they do patch a system, it is a mega patch of more than 100 security issues that are being patched at once. From a DBA perspective, if an inbuilt stored procedure works under one set of credentials, and through any one of 100 security patches the whole thing begins to fail, it is very hard to go back and figure out what changed when dealing with a mega patch.
Then there is the whole idea of responsible disclosure, personally I know I am sitting on security flaws that have not been patched from some vendors who have been notified. I will not release it until the fix is already on the street, or they choose to credit me with the work. Really since it does not matter to me who gets credit as long as it is fixed, I have the luxury of that stance because neither my career nor my company is dependent upon finding zero day vulnerabilities.
Oracle states:
“We acknowledge all of the vulnerabilities at the time of the issuance of the appropriate fix and we credit security researchers for any vulnerability they discovered in the Critical Patch Update documentation,” he said. “However, we do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing zero-day exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack.”
Unfortunately, this is “business as usual” and part of the background acceptance that we all have of issues in information security. From the street there is not much we can do about it, we wait and pray that no one else figures this out. Responsible disclosure is just that, wait, and pray. While it is interesting that Argeniss decided that they would release an oracle zero day each day in December until Oracle fixed them, this really doesn’t help anyone out, other than make noise for the company that is threatening to do this. While Oracle could do patches faster, that is something that everyone who owns an Oracle software system needs to address, just like the population did with other companies. When the public speaks, companies who want to survive listen.
Going off and making threats about sending out zero day vulnerability information is really not a good idea. Great for creating buzz about the company, even if some of it is negative buzz. Some companies run under the idea that any press is good press, Oracle should take a look at both the process, and the result. While I am sure that Oracle would love to stay in business, they cannot afford to be irresponsible either in how they manage their patch system.
There are many dependencies in a database; anyone who has used one is going to be familiar with them. Anyone who has had to secure one and manage patch updates for them has more information. Playing brinkmanship with zero day vulnerabilities though is generally not a good idea, nor is it really a good idea for waiting and praying that no one else will figure it out. If we as a group really want oracle to do something, then the public voice has to be loud enough for folks at Oracle to listen.
Tag:
Add to 
Bookmark Murdok:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
